The MBTI and security professionals

By Luther Martin — October 5, 2010

Not too many years ago, the Myers-Briggs personality test (MBTI) was very trendy. People would often take it at work and have a discussion of what the results meant, but in most cases it never got much past that. If you're one of those people who somehow managed to avoid the MBTI craze, you can learn about it on lots of web sites. If on-line tests aren't enough for you, you can even hire consultants to explain the results of your test to you. Some of these guys are actually fairly good. Others aren't.

In any event, I recently came across an interesting paper, "Profiling the Defenders," by Carrie Gates and Tara Whalen, that talked about the MBTI type of security professionals. Here's one excerpt from this paper that summarizes one if its findings:

It is perhaps not surprising to note that security professionals differ markedly from the general population, with a significant noted on each dichotomous preference. Security professionals are especially highly represented amongst INTJs, with 34% of the population. In comparison, the general population of the United States is only 3.5% INTJ.

In other words, security people aren't exactly normal, at least as defined by the MBTI. But that shouldn't come as a surprise to anyone.

Here's another excerpt that describes some of the implications of security people being different:

This implies that the majority of security professionals prefer to concentrate on the larger picture and think of future possibilities. While these are certainly valuable traits, we are at the same time lacking in those individuals who prefer to concentrate in solving the current issues with the tools that are currently available. This arguably puts the defenders at a disadvantage, it all the defenders are concentrating on how security can be made better, rather than on defending the attackers right now.

In other words, lots of security people have traits that may not be good ones to have if they're interested in protecting against hackers. All that I learned from the various MBTI workshops that I sat through in the past was that you need to understand that people are different and to allow for those difference (that's not entirely true – I also recall once being told that I'm the type likely to have ESP – that didn't give me much faith in the other results that we talked about). That also seems to be the best way to handle this bias in security people.